The transfer of data and procedures from legacy systems to the cloud necessitates adherence to current data security protocols and regulations for handling data at rest, data in transit and data in use. It comes as no surprise that organizations have identified security and data protection as the primary obstacles when it comes to migrating sensitive applications and data to the public cloud. Despite the advantages of cloud-ready architectures, such as simplicity and support for microservices, concerns persist regarding the potential mishandling of data by the cloud service provider. Organizations want to encrypt their data in the cloud using their own encryption keys and retain control over and manage these keys.

IBM Power Virtual Server is an IBM infrastructure-as-a-service (IaaS) offering that enables existing or new Power clients to extend their on-premises environments to the cloud. It is used to expand clients’ on-premises servers to modern-day hybrid cloud infrastructures, enabling them to seamlessly move and manage their workloads across cloud and on-premises environments. With Power Virtual Server, businesses can quickly deploy one or more virtual servers running either AIX, Linux or IBM i through the IBM Cloud catalog. Businesses can achieve cost and operational efficiency by reducing their CapEx attached to on-premises infrastructure and the time needed to maintain that infrastructure.

IBM Key Protect for IBM Cloud can be used for client data encryption, and keys can be managed through multi-cloud key management. IBM® Key Protect for IBM Cloud® is a centralized, full-service key management service that provides data-at-rest encryption for your data stored in IBM Cloud using the envelope encryption techniques that leverage FIPS 140-2 Level 3 certified cloud-based hardware security modules.

The integration of IBM Power Virtual Server with IBM Key Protect enables enhanced data security through encryption to meet your compliance requirements. Thus, we are pleased to announce the availability of IBM Key Protect for IBM Power Virtual Server. With this announcement, customers have a choice of key management—they can bring their own keys (BYOK) using the Key Protect service or, for highly sensitive data, they can keep their own key (KYOK) with IBM Cloud Hyper Protect Crypto Services.

Benefits

With configurable settings, the confidentiality of your data is ensured with security measures that are built upon Operational Assurance, providing a robust framework for safeguarding your information. Moreover, the option to bring your own keys allows you to have control of the key, providing enhanced protection. The multi-tenant key management service in IBM Cloud can be used to manage your key, which can support efficiency.  

What’s the difference between IBM Key Protect and IBM Hyper Protect Crypto Services?

IBM Key Protect and IBM Hyper Protect Crypto Services are now available on IBM Power Virtual Server. Here are the key differences between the two offerings.

IBM Key Protect employs FIPS 140-2 Level 3 certified HSM appliances for cryptographic operations. This certification ensures that the cloud hardware security model’s (HSM) contents are protected from potential intrusion, mitigating risks like unauthorized access due to consecutive bad login attempts, changes to critical policies, chassis interference and similar threats.

On the other hand, IBM Hyper Protect Crypto Services (HPCS) utilizes FIPS 140-2 Level 4 certified IBM Z Crypto Cards, representing the highest level of security certification. This ensures that the physical security mechanisms surrounding the cryptographic module offer comprehensive protection against unauthorized physical access. HPCS is also a single-tenant key management service with a Cloud hardware security model (HSM) that they fully control so that clients have full control of both the HSM and the lifecycle of the keys. HPCS also supports multicloud key management capabilities with its Unified Key Orchestrator (UKO) so that you can manage the keys across multicloud deployments across IBM Cloud, Azure, AWS and GCP.

Both services leverage hardware security modules that are tamper-resistant devices that securely store and utilize cryptographic keys within a cryptographic boundary. All key-related operations—including creation and rotation—are performed within the HSM, enhancing the security of your cryptographic operations.

Start reaping the benefits

IBM Power Virtual Server with Key Protect Service is now available in 18 data centers across the globe. You can integrate the Key Protect service with Power Virtual Server instances to securely store and protect encryption key information for AIX and Linux. Please refer to the product guide for additional information. For specific questions, please contact Shadi Albouyeh or Damneet Basak directly.